|View the Entire Series|
The Five Most Common Misconceptions of Enterprise Security
Misconception No.1: Over-Relying on Network Defenses Misconception No. 2: Believing the Hype of Technology and Tools Misconception No.4: Assuming Secure Software is Costly
The mistake organizations make here is overreacting to perceived threats, which in turn allows for more real or serious threats to go unattended.
A Sense of Falling
When high-profile cases like E&Y, ING, and, more recently, the VA hit the public conscience, organizations tend to react by making adjustments in their security spend. These incidents of lost laptops or data tapes led to organizations rolling out new policies to encrypt all data on laptops and in databases.
Not to say that laptop and database encryption is a bad policy, per se, but you have to understand it only mitigates the risk of physical theft of the computer or database. Further, it does not protect the organization from risks such as hacking, malicious code, bots, worms, Trojans, insider crime, un-authorized workers who steal proper authorization, criminal third parties, etc. And this all assumes encryption was implemented correctly and the organization provided ample training for their teams which almost never happens.
The driver for the new policy was a perceived new or heightened threat. This is psychology is a dangerous trap.
The same thing happens in the non-IT world, too. In 1967 Sweden changed from driving on the left side of the road to driving on the right. What happened? In the 12 months following, auto fatalities dropped by 35%. Was the right side of the road safer? Was there a major advancement in automobile safety in Sweden in 1967? No.
There was simply a change in rules and as a result people felt more at risk due to the recent incident. The sad part is that 12-months later, auto fatalities were exactly where they were pre-1967. People forgot they were at risk and adjusted behavior once again.
Rising to the Occasion
When asked to qualify why youre seeking security budget dollars, ask yourself whether the amount of spending is absolutely critical or if youre just doing it to cover your butt. CISOs (chief information security officers) and CIOs are frequently in the position of having to justify security spend. If the drivers are eerily similar to the ones mentioned above, consider the reasons carefully before asking for those dollars.
Perhaps youre even asked to implement a certain security solution because your board recently became aware of a security incident in a similar type of organization and theyre fearful the same might happen at your organization. While youre asking yourself questions, ask this one, too: If I alone had the ability to decide where and how to spend security budget, and I could only choose one place, where would I spend it?
Often the answer is different than where your board might choose. Forcing the issue can make you a voice of reason in a world of security FUD (fear, uncertainty and doubt).